PicoCTF 2017 – Hash101

Another day, another challenge.

Today’s blog post will be solving the “Hash101” challenge from the PicoCTF.

Let’s get started.

Clicking on the challenge we see…

PicoCTF_Hash101_1

OK we need to hashes to claim our flag. Let’s see what the hints say.

PicoCTF_Hash101_2

Looking at the hints Google will be our friend 🙂

Connecting to the server we see:

PicoCTF_Hash101_3

We need to convert the binary to ASCII text.

Doing a Google search of, “binary to ASCII text converter” search we get the following website.

Going there, we see:

PicoCTF_Hash101_7

Changing the binary to the binary in the challenge we get:

PicoCTF_Hash101_8

The text we’re looking for is “peace” entering this in we are now in the second level of the challenge.

PicoCTF_Hash101_11

We need to find the hex value of our word, peace. Going back to the link referenced above, we see that the hex is referenced.

PicoCTF_Hash101_12

Entering that we now need to enter the decimal equivalent. For this, going back to Google and entering “hex to decimal converter” we get the following link.

Clicking the link we see:

PicoCTF_Hash101_9

Entering the hex value we get the following decimal value.

PicoCTF_Hash101_10

Entering that into the challenge we get the following:

PicoCTF_Hash101_13

Going to the third level we see:

PicoCTF_Hash101_14

Reading the description one might ask, what are we looking for?

Remember from the first level of the challenge where we need to find the ASCII text?

Doing a Google search of, “ASCII table” we find the following link.

Opening the link we see the ASCII equivalent of the letters.

We need to find a string that when doing the modulo of base 16 we get a number of 10.

One might wonder… what is modulo?

The modulo is the remainder of a division equation.

We know that we are dividing by 16 and the modulo (remainder) needs to be 10.

One way to achieve this is to find any multiple of 16 and add 10.

Why multiple of 16? Doing a multiple of 16 if we did a modulo of that the modulo would be 0 (as there is no remainder).

Doing this I was able to do the following:

PicoCTF_Hash101_5

Entering 4, we had a module of 4 and not 10.

Entering the string of “:” we were able to complete the level. Why? “:” in ASCII is 58. How did we get 58? 16 * 3  = 48 + 10 = 58. We’re adding 10 because we know we need a remainder of 10.

Moving to level 4 we see:

PicoCTF_Hash101_15

Doing another Google search of, “MD5 decrypter” we get the following link.

Clicking the link and entering the md5 hash, we get the following:

PicoCTF_Hash101_16

Entering this the level we see:

PicoCTF_Hash101_17

Entering this flag into the input box we’ve acquired 50 points!

PicoCTF 2017 – LeakedHashes

Another day, another challenge…

Today’s blog post we’re going to solve the “LeakedHashes” challenge from PicoCTF.

Let’s get started.

Clicking on the challenge we see:

PicoCTF_Leaked_Hashes_1

OK – we need to log into a service, but we do not know the password. We do have leaked hash passwords.

Clicking the hashdump.txt file we see:

PicoCTF_Leaked_Hashes_2

Let’s see what the hints say.

PicoCTF_Leaked_Hashes_3

OK. Let’s see if we can find a way to crack these passwords!

Doing a Google search for “online cracked hashes” we get the following link.

Trying the first hash of root we were not able to crack the password.

Using the second hash of christene, we get:

PicoCTF_Leaked_Hashes_4

We were able to crack the password.

Let’s try to login in with christene.

Going back to the commnd line and using the nc command we get:

PicoCTF_Leaked_Hashes_5

Scrolling down we see:
PicoCTF_Leaked_Hashes_6

We found the flag, and acquired 90 points!!!

PicoCTF 2017 – Mystery Box

Another day, another challenge.

In today’s blog post we will be solving the “Mystery Box” challenge from the PicoCTF.

Let’s get started.

Clicking on the challenge we see:

PicoCTF_Mystery_Box_1

OK, we have a mystery machine, with a stick note, and a picture.

Clicking on the sticky note link we see:
PicoCTF_Mystery_Box_2

OK… we have a note. This is going to be useful later.

Clicking on the picture link we see:

PicoCTF_Mystery_Box_3

Going back to the challenge and click on the hints we see:

PicoCTF_Mystery_Box_4

OK. The hints tell us that this box uses gear and it was used from the naval services. Also we have the name of Turing… let’s see what Google would provide us.

Doing a Google search of “Turing machine naval” we get the following link.

This link is the enigma machine emulator.

The enigma machine was used in WW2 (World War 2) to help crack secret messages from Nazi Germany.

The person who was responsible for this machine was Alan Turing. Alan Turing was the father of computer science. He was a computer scientist, mathematician, logician, etc. If you want to read more about his life, click here.

Going back to the enigma machine emulator we see:

PicoCTF_Mystery_Box_5

Hmm… we see that the words are similar to are listed in the note.

Let’s use that to figure out what the enigma machine will return us.

After entering the information we get:

PicoCTF_Mystery_Box_6

Hmm… The enigma machine returned – “quite puzzling indeed”.

Putting this in as the flag, we acquired 60 points!!

PicoCTF 2017 – My First SQL

Another day, another challenge.

Today’s blog post we will be solving the challenge, “My First SQL” from the PicoCTF.

Let’s get started.

Going to the challenge we see:

PicoCTF_My_First_SQL_1

OK… we need to access a website, but we do not have the password. Let’s see what the hints give us.

PicoCTF_My_First_SQL_4

Clicking the website link we see:

PicoCTF_My_First_SQL_2

Doing a right click, view page source we see:

PicoCTF_My_First_SQL_3

We do not see anything useful. We have a form that is looking for a username and password.

Going back to the hints, let’s do a Google search of SQL Injection.

After doing the search we have a link, that specifies how to do a SQL injection to do login bypass.

Let’s do it.

Going back to the website, we see that we have a username and password.

Let’s try using a username of “admin”

and a password of ” ‘ OR ‘1’=’1′ ”

PicoCTF_My_First_SQL_5

Pressing login we get:

PicoCTF_My_First_SQL_6

We found the flag, and acquired 50 points!

PicoCTF 2017 – Hex2Raw

Another day, another challenge…

Today’s challenge we will be solving the Hex2Raw challenge in the PicoCTF.

Let’s start.

Clicking on the challenge we see the following:

PicoCTF_Hex2Raw_1

OK. With this challenge we see that we need to print unprintable characters from the following location.

Let’s see what the hints give us.

Clicking on the hints we see:

PicoCTF_Hex2Raw_2

OK. We can see that Google has easy techniques to do this.

Let’s go to the command line and see what we can do.

After logging in and going to the directory we see the following:

PicoCTF_Hex2Raw_3

Running the hex2raw application we see:

PicoCTF_Hex2Raw_4

I pressed Ctrl + C to end the program.

OK. We are given raw input and we need to convert it to hexadecimal character.

Doing a Google search we noticed that we can use Python to get our desired output.

How would we do this?

With the decode function!

PicoCTF_Hex2Raw_5

Explaining the screenshot below we’re invoking the python interpreter the -c designated that we’re using a command. We’re printing the raw form, and using the decode function designated that we wanted to decode with the hexadecimal system. We’re going to pipe the output to the hex2raw program.

Doing this we see the flag, and acquired 20 points!

PicoCTF 2017 – Master Challenge – Lazy Dev

Another day, another challenge.

Today’s blog post, we’re going to solve the master challenge of level one of the PicoCTF challenge called, “Lazy Dev”.

Let’s get started.

Clicking on the challenge we see the following:

PicoCTF_Lazy_Dev_1

Hmm… we need to log into the application even though the login logic has not been implemented.

Clicking on the link we see:

PicoCTF_Lazy_Dev_2

Going back to the challenge and look at the hints we see:

PicoCTF_Lazy_Dev_3

OK. The hints state maybe we need to interact with JavaScript.

Going back to the website and doing a right click, view page source we see:

PicoCTF_Lazy_Dev_4

We see there’s a input box for password that is calling the process_password function. Where is this function coming from? Maybe it’s coming from line 10 that has a javascript source file named client.

Clicking this file (client.js) we see:

PicoCTF_Lazy_Dev_5

Looking at the first function validate(pword) we notice it’s not implemented. It’s always going to return false, with the comment – todo: implement me

Going back to the hints we remember that we need to access the JavaScript directly. We can do this by viewing the developers tools.

Let’s view the development tools by pressing F12 on our keyboard, and then pressing F5 to refresh the page.

When we do this, we see:

PicoCTF_Lazy_Dev_6

Clicking on the sources we see the files that were loaded from the web page.

PicoCTF_Lazy_Dev_7

Looking at line 26 we see that we’re calling the make_ajax_req. Inside this function we see in line 15 checks the state change. If the state changes we’ll get the password.

How can we change the state when the login has not been implemented?

Let’s see if we can call the make_ajax_req function directly from the console.

First, let’s add a break point to line 15 in the make_ajax_req function.

Next we’ll add the following to the console:

PicoCTF_Lazy_Dev_8

Pressing Enter we go to the break point.

We’re accessing the JavaScript directly!

Stepping through the code multiple time we noticed that we execute line 15 of the make_ajax_req function.

Once it’s done we see there’s text that’s inputted inside the browser.

Looking at the browser we see:

PicoCTF_Lazy_Dev_9

We have the flag!!

Entering the flag we’ve acquired 50 points, and unlocked level 2!

PicoCTF 2017 – computeRSA

Another day, another challenge.

Today’s blog post will explore solving the “computeRSA” challenge in the PicoCTF challenge.

Let’s get started.

Clicking on the challenge we see the following:

PicoCTF_computeRSA_1

OK we need do a calculation for the RSA algorithm. Since we have the encrypted number, then we need to do the decryption.

Let’s look at the hints.

PicoCTF_computeRSA_2

We have the decrypted formula.

So the formula: (150815) ^ 1941 mod 435979

Let’s go to Google and use a python interpreter to find the decrypted number.

Going to the following link we’re presented with the interpreter.

Entering the formula in the interpreter we get the following:

PicoCTF_computeRSA_3

Entering this number as the flag we’ve acquired 50 points!